Information Governance Strategic Management Framework

(1)

Information Governance

Strategic Management Framework

2015 - 2017

Document Summary

This framework sets out the Cumbria Partnership NHS Foundation Trust (the organisation) Strategic Management Framework and is therefore a working document. The purpose of this framework is to provide clear and effective management and accountability structures, governance processes, documented policies and procedures, a comprehensive IG training programme and adequate resources to manage and embed Information Governance throughout the organisation. It pulls together all the requirements for information governance to ensure that personal information is processed legally, securely, efficiently and effectively in order to deliver the best possible care to patients.

Please complete the table below and use the prescribed form of words underneath POLICY NUMBER

DATE RATIFIED 6 August 2015.

DATE IMPLEMENTED 13 August 2015.

NEXT REVIEW DATE April 2017

ACCOUNTABLE DIRECTOR Director of Strategy and Support Services

(Michael Smillie)

POLICY AUTHOR Head of Information Governance (Yvonne

Salkeld)

Important Note:

The Intranet version of this document is the only version that is maintained.

Any printed copies should therefore be viewed as “uncontrolled” and, as such, may not necessarily contain the latest updates and amendments.

(2)

1

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015

2

5.14 Projects ... 16

5.15 Registration Authority Service ... 16

5.16 Risk Assessment and Incident Management Process ... 17

5.17 Training and Development ... 17

6. Information Governance – Governance Arrangements ... 19

6.1 National Requirements (i.e. Operating Framework, Monitor, HSCIC) ... 19

6.2 IG Toolkit ... 19

6.3 IG Arrangements ... 20

7. Training ... 23

8. Monitoring compliance with this policy ... 23

9. References/ Bibliography ... 24

10. Related Trust Policy/Procedures ... 24

(4)

3 Introduction to this document

Information plays a key part in the clinical and corporate governance of Cumbria Partnership NHS Foundation Trust (referred to from herein as “the organisation”) and the quality in the provision of patient services, planning, performance measurement, assurance, and financial management relies upon accurate and available information.

The organisation provides an Information Governance Service to Cumbria Clinical Commissioning Group via a SLA (Service Level Agreement). The aim is to provide high quality IG support services which broadly consist of IG services, IT Security and Access to Information specialist advice and support.

The Information Governance Assurance Framework (IGAF) is the national framework of standards that brings together all statutory, mandatory, and best practice requirements concerning information management. The standards are set out in the Information

Governance Toolkit as a road map enabling organisations to plan and implement standards of best practice and to measure and report compliance on an annual basis.

Performance against these standards is mandated by and reported to the Department of Health (DoH) via the CQC (Care Quality Commission) and forms part of the assurance processes associated with Risk Management Standards. Compliance is also required for the Quality Framework for Monitor.

Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit as the organisation’s Information Governance Management Framework (IGMF). The Information Governance Management Framework brings together all the requirements, standards and best practice that apply to the processing of personal information to ensure:

 Compliance with the law;

 Implementation of DoH guidelines;  Planned year on year improvement;  IG Toolkit requirements.

This framework sets out the approach the organisation is taking to provide a robust approach to IG standards.

This document provides a summary / overview and sets out an overarching framework for the strategic Information Governance agenda within this organisation (CPFT) and those organisations (CCG) to which we provide an IG service (i.e. Cumbria Clinical Commissioning Group).

(5)

4

1. Scope

This framework applies to:

- All staff of the organisation, including temporary staff and contractors, sub-contractors; - All information used by the organisation;

- All information systems managed by or used by the organisation; - Any individual using information “owned” by the organisation;

- Any individual requiring access to information “owned” by the organisation.

- Any organisation that through a Service Level Agreement purchases IG advice and

support.

2. Statement of Intent

The statement of intent for the IG Management Framework is to ensure the primary objectives of IG below are achieved:

 Complete the annual information governance assessment and gain sign off within set timescale, with the aspiration to attain level 3 compliance within three years.

 Provide innovative solutions to IG issues with a view to streamlining business processes.  Promote the Information Governance agenda ensuring that it is embedded throughout

the Trust to Care Level.

 Develop an effective team dedicated to the promotion and implementation of the Information Governance agenda.

 Build a positive reputation with internal clients by providing sound advice and an efficient reliable service regarding all IG matters.

 Build a positive reputation with external clients by providing sound advice and an efficient reliable service regarding all IG matters.

 Evidencing lessons learnt through internal, external sources and new initiatives by proactively ensuring policies and procedures reflect the latest requirements and by directing Trust wide cultural change.

The Statement of Intent and IG objectives as a team is to:

- To support the provision of high quality care by promoting the ethical, legal, effective

and appropriate use of information.

- To encourage responsible staff to work closely together, preventing duplication of effort

and enabling more efficient use of resources.

- To develop support arrangements and provide staff with appropriate tools and support

to enable them to discharge their responsibilities to consistently high standards.

- To enable the organisation to understand their own performance and manage

improvement in a systematic and efficient way.

- To hold information securely and confidentially

- To obtain information ethically, legally and efficiently, i.e. in line with Data Protection Act

1998 and relevant codes of practice including those issued by the Department of Health and Professional Regulatory bodies

- To record information accurately and reliably and with the consent of the individual

concerned (staff and / or patient)

(6)

5

- To disclose information ethically, lawfully and as minimally as possible within those two

requirements.

- To achieve safe care and the maximising of respect for patient privacy and dignity.

There are a number of legal and ethical obligations placed upon the Trust for:

- The use and security of personal identifiable information - Appropriate disclosure of information when required

- Regulatory frameworks for the management of information via the HSCIC IG Toolkit - NHS and professional Codes of Conduct for consent to the recording, sharing and uses

of information.

- Operating procedures and codes of practice adopted by the NHS.

3. Definitions

Information Governance is an ‘umbrella term’ that forms the elements of law and policy from which applicable information governance standards are derived. It encompasses legal requirements, ethical considerations, national guidance and best practice in information handling, including:

- The common law duty of confidentiality - Data Protection Act 1998

- Information Security - Information Quality - Records Management

- Freedom of Information Act 2000

Whilst a key focus of information governance is the use of information about service users, it applies to information recording and information processing in its broadest sense and underpins both clinical and corporate governance. Accordingly, it should be afforded appropriate priority and is increasingly having a higher profile following national incidents where information about members of the public have been mislaid.

Asset management – the types of attributes that we record to ensure we manage assets appropriately are:

 Ownership: the organisation owning the asset, asset owners, asset administrators etc  Documentation: information governance accreditation documentation details and status  Technical: hosting information, servers, access methods etc

 Suppliers: supplier (including supply chain), contracts, licenses etc

 Relationships: relationships between other organisations (sharing agreements etc).

4. Duties – Key Responsibilities

Senior roles within the organisation supporting the Information Governance agenda are held by the Organisation’s Senior Information Risk Owner (SIRO), the Caldicott Guardian, the Head of Information Governance and supported by the IG Team.

(7)

6

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 4.1 Trust Board

In his communications with NHS Trusts Chief Executives, the NHS Chief Executive has made it clear that ultimate responsibility for IG in the NHS rests with the Board of each

organisation, who should note that:

 The major NHS organisations must update the Toolkit assessment at three intervals during the year (end of July, October and March) to enable performance and actions to be tracked by commissioners and other monitoring bodies.

 The NHS Operating Framework requires organisations to achieve level 2 performance against all key requirements identified in the Information Governance Toolkit.

Organisations must provide assurance that they are meeting these key requirements and must have robust improvement plans to address any shortfalls against other

requirements.

 Details of serious incidents involving actual or potential loss of personal data or breach of confidentiality must be published in annual reports and reported via HSCIC and to the Information Commissioner.

4.2 Chief Executive

The Trust’s Accountable Officer is the Chief Executive who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level.

Information risk are handled in a similar manner to other risks such as financial, legal and reputational risks. Reference to the management of information risks and associated information governance practice is now required in the Statement of Internal Control which the Accounting Officer is required to sign annually.

4.3 Caldicott Guardian

The Caldicott Guardian also holds the position as Medical Director (Dr Andrew Brittlebank,

Medical Director). The Caldicott Guardian role:

 Is advisory

 Is the conscience of the organisation

 Provides a focal point for patient confidentiality and information sharing issues  Is concerned with the management of patient information.

The Caldicott Guardian is the person with overall responsibility for protecting the

confidentiality of person identifiable data (PID). The Caldicott Guardian plays a key role in ensuring that the organisation and partner organisations abide by the highest level for standards for handling PID and adherence to the Caldicott Principles. It is the responsibility of the Caldicott Guardian to feedback any IG issues to the Senior Management Team. The Caldicott Guardian (or designated individual) is a member of the Information Governance Board.

(8)

7

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 4.4 Senior Information Risk Owner

The SIRO is the Director of Strategy and Support Services (Michael Smillie). The role:  Is accountable;

 Fosters a culture for protecting and using data;

 Provides a focal point for managing information risk and incidents  Is concerned with the management of all information assets.

The SIRO is an Executive Board member with allocated lead responsibility for the Trust’s information risks and provides a focus for the management of information risk at Board level. The SIRO chairs the Information Governance Board.

For Cumbria Clinical Commissioning Group the SIRO is Charles Welbourn.

4.5 Information Asset Owners (IAO) – Senior Heads / Senior Managers

IAOs are senior / responsible individuals working in a relevant business area. Their role is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they are able to understand and address risks to the information and ensure that information is fully used within the Law for the public good, and provider written input to the SRIO annually on the security and use of their assets.

The Trust when identifying an IAO, will consider the risks of the information asset rather than the size of the asset. The IAO need not be the creator or even the primary user of the asset, but they must have a good understanding of what the business needs from the asset and how it is used. For assets that have significant risks associated with them,

consideration should be given to have a senior IAO assigned in certain circumstances. For example, RIO (senior IAO will be the Director of Nursing with the IAO using the

management structure in place will be the General Manager, with IAA (information asset administrator) being the management lead. See example hierarchy below:

For other specific information assets (i.e. SOEL dental system) the Clinical Director responsible for the service will be the IAO.

(Senior) IAO RIO (Director of

Nursing) IAO RIO (children Services) - General

Manager IAA - Universal Clinical Services

Manager (Sue Harper)

IAA - Specialist Clinical Services (Gill Ireland)

IAO RIO (Mental Health - General

(9)

8

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 An IAO will be responsible for an information asset in terms of:

 Identifying risks associated with the information asset;

 Managing and operating the asset in compliance with policies and standards; and  Ensuring controls manage all risks appropriately.

The role is flexible and will undoubtedly be performed in addition to existing duties and for some responsibilities may be shared between many individuals.

4.6 Information Asset Administrators (IAA)

IAA’s work on a day to day basis with information contained in an information asset (see definition above). They have day to day responsibility, ensure that policies and procedures are followed by staff and recognise actual or potential security incidents, and consult their IAO on incident management. The IAAs are senior individuals are are usually head of department or with ultimate responsibility for the information asset. .

4.7 Information Governance Lead

The Information Governance (IG) Lead is the Head of Information Governance (Yvonne Salkeld). The Head of Information Governance is responsible for ensuring the organisation meets is statutory and corporate responsibilities and engender trust from the public in the management of their personal information. The Head of IG is accountable for ensuring effective management, accountability, compliance and assurance for all aspects of IG. The key tasks include:

 Responsibility for delivering a high quality specialist Information Governance Service to the Trust and its customers (i.e. Cumbria Clinical Commissioning Group);

 To provide strategic direction, planning and guidance to ensure compliance with information governance legislation and the national agenda

 Ensure work practices are evaluated and supported through the development of appropriate policy and procedures across the organisation.

 Acts as Data Controller for the Trust. 4.8 Information Security

The Head of IT (Ian Waterhouse) with delegated responsibility to the Information Security Manager (Steve Jarvis) is responsible for the provision and management of a high quality, customer focussed, Information Technology Security Advisory Service using expertise to manage security issues, identifying best practice and making recommendations for local implementation. These individuals work closely with the Information Governance team. 4.9 All Trust Employees

All Trust employees and anyone else working for the organisation (eg. Agency staff, honorary contracts, management consultants etc) who use and has access to Trust

information must understand their personal responsibilities for information governance and comply with UK Law. All staff must comply with Trust policies, procedures and guidance and attend relevant education and training events in relation to IG.

(10)

9

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 4.10 Information Governance Team – Resources

Staff roles which support the Information Governance agenda are identified in the organisation chart.

The E-Health Department (under the Strategy and Support Services Directorate) holds the dedicated budget for delivering the Information Governance agenda.

Other lead roles to support the IG agenda are as follows:  Risk management

 IT for technical security advice  Business Continuity Manager

 RA Team: smartcard, access controls and ID card services.

 IG Performance Team and Information Rights Team supporting IG in their divisions.  Key focus on IG Performance Management with designated IG Performance

Management Officer.

 Senior Information Risk Owner  Caldicott Guardian

5. Information Governance – Key Project Areas

Information Governance is based on a series of best practice guidance and adherence to a legal and regulatory framework. Detailed below are the main areas that the Information

Head of IG

IG Performance

Management Officer

IG Performance

Manager

IG Performance

Officer

IG Performance

Assistant

IG Data Officer

IG Asset

Management Officer

RA Manager

RA Agent X3

Information Rights

Coordinator

Information Rights

Officers X3

(11)

10

Governance cover which forms our services as part of the IG team’s offering as part of a Service Catalogue:

5.1 Asset Management

In order to appropriately scope and prioritise risk management efforts, it is necessary to ensure that a complete and accurate information asset register exists. As part of the identification process, it is imperative that all instances of information assets be located. In addition, information assets need to be classified in terms of sensitivity and criticality to the Trust. This information is recorded on the Information Asset Register (Alloy system) which is linked to a sharepoint library where all supporting documentation is stored. It is also essential to ensure that all information assets have an identified owner.

Information Asset Owners are senior individuals involved in running the relevant business. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets. Identified key risks (those rated medium or high), once assessed by the SIRO, supported by the IG Board, will be considered for inclusion on the Corporate Risk Register.

In addition any policies related to information asset ownership should reflect the need for succession planning consistent with any BCP (Business continuity plans) drawn up. This will help promote accountability for complying with policy compliance and risk management and PIA requirements throughout the organisation. System level security policies requiring information asset ownership should be in place, as well as processes established to assign ownership as information assets are acquired, transferred or created.

A designated post has been put in the structure in 2015 – 2016 to facilitate this framework for information asset management which is a key task for improvement in 2015 – 2016 due to the introduction of new systems and processes (i.e. EPR) and to ensure legacy systems are archived appropriately.

5.2 Audit and Spot Check Compliance

Using the ICO Guide to Data Protection Audits as a guide, the IG Team have developed an audit and spot check compliance document. This pulls together the tools required to complete audits in various areas (i.e. 360 degree audits on subject access requests, health records audit, spot check visits checklists). The aim of this approach is to:

- Help to raise awareness of Data Protection and the legal framework of which Information Governance is based;

- Showing the organisation’s (i.e. care groups, corporate services) commitment to and recognition of the importance of data protection in day to day working practices; - Provide some self-assessment on our compliance to support the trajectory of level 3

compliance;

- Identification of data protection risks to enable practical, pragmatic and operational specific recommendations

(12)

11

- Details in a central place the audit methodology for the spot checks undertaken by the dept.

The focus of the audit approach will be to determine whether the organisation

policies and procedures are being followed operationally with staff in order to

reinforce and educate, regulate the processing of personal data; also to ensure that

processing is carried out in accordance with such policies and procedures. When an

organisation complies with its requirements, it is effectively identifying and

controlling risks to prevent breaching the DPA. An audit will typically assess the

organisation’s procedures, systems, records and activities in order to:



ensure the appropriate policies and procedures are in place;



verify that those policies and procedures are being followed;



test the adequacy controls in place;



detect breaches or potential breaches of compliance; and



recommend any indicated changes in control, policy and procedure.

5.3 Communication

The E-Health Dept has a separate communication strategy. The Head of IG has developed a communication plan that feeds into this strategy indicating the tasks that they are

responsible for, namely:

- Publication Scheme (FOI)

- Updating of Intranet and Internet Sites relating to IG

- Targeted communication in terms of specific projects (i.e. clear desk policy) - Production of leaflets

- Fair Processing Notices (or Privacy Notices) - Development of IG Code of Conduct

This list is not exhaustive but represents a sample of communication materials that are available. See detailed plan.

5.4 Contracts

The Information Governance Team has a work stream plan to ensure that contractors meet the required IG standards in order to meet the IG Toolkit requirement 110. Initially this will focus upon a systematic process of identifying all contracts in place throughout the trust (this includes new contracts and those already in place) and evaluating the supplier’s level of compliance with IG standards as detailed in the Information Governance Standards for Contractors Policy.

The aim for the IG Performance Team for the updated year to ensure progression is made in the compliance standards for CPFT contractors and ensure a robust escalation procedure is in place for those who do not meet the required standard and pose a risk to the Trust’s information.

(13)

12

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 5.5 Corporate Records

The aim is to make significant progress in ensuring the trust is managing Corporate Records effectively in line with the IG Toolkit requirements and the standards that need to be

achieved to reach level three (3) compliance. The team is working to ensure an effective document set is in place to ascertain what is a ‘corporate record’ and also to ensure it is clear the scope of the work required by IG in line with Toolkit requirements. The focus for the IG Team will be to ensure the documentation and communication set that is produced assists the wider corporate services in effectively managing their records.

This will start with the identification of corporate records within scope; ensuring appropriate responsibility is assigned for the management of those records; leading to a qualitative audit later in the year to ensure that the identified records are being effectively managed

throughout their lifecycle. 5.6 Data mapping

The IG Team are responsible for ensuring that all transfers of hard copy and digital person identifiable and sensitive information have been identified, data mapped and risk assessed. It is a legal responsibility of an organisation to ensure that transfers of personal information for which they are responsible (Data Controller) are secure at all stages and therefore as an outcome of this process technical and organisational measures can be put in place to secure these transfers.

This is completed by engaging with operational services through a workshop, mapping the flows and risk assessing through the Information Sharing Gateway. The Head of IG with relevant escalation of SIRO / Caldicott Guardian will authorise these flows within the Trust. The aim is that in the coming two years these flows form part of the care stream IG

dashboard so that the IAO (information asset owner) for the relevant clinical / corporate system has visibility of the flows of information from their information asset and the IAO will assist the IG team in putting in appropriate technical and organisations measures against unauthorised or unlawful processing of and accidental loss or destruction of or damage to personal data.

5.7 Fairwarning

Cumbria Partnership NHS Foundation Trust has implemented a patient privacy monitoring system to further ensure that patient information is protected and secure.

The new patient privacy system called Fair Warning will identify any patterns of breaches of inappropriate and illegitimate access to a patient’s health record and will alert managers. It gives patients the confidence that subject to their consent only people involved in their care can access their records. The system will identify any patterns of breaches of

inappropriate and illegitimate access to a patient’s health record, for example employees accessing:

 Records of patients who may be neighbours  Records of family members

(14)

13

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015  Their own records (self-examination)

 Celebrity patient records

The Head of IG is the information asset owner of the Fairwarning system and works with operational services in terms of verifying information in order that appropriate action can be taken (i.e. education and awareness, disciplinary etc).

5.8 Health Records

The Health Records function is managed via the Head of Information (Farouq Din). In order to ensure impartiality on the Information Governance Team conduct an annual audit on Health Records trustwide. This is to ensure the Trust is complying with record keeping standards and can demonstrate that patient information is being handled in a way that complies with legislative and regulatory requirements.

The audit will run from September – December each year and each clinical team will be contacted to take part. A final report is produced to show the status trustwide. The results are presented to the Health Records / Data Quality Manager to ensure that an appropriate action plan is in place to manage on-going improvement who in turn gives feedback to clinical teams to help facilitate improvement through targeted training.

5.9 Human Resources

The IG Team has the aim to work effectively with the HR department to ensure all the required evidence is supplied for use within the IG Toolkit to maintain level three compliance 2014-15.

In addition to this, through active engagement with HR and the progression by the Information Commissioner’s Office becoming more involved in organisational audits it has been agreed that IG will monitor HR’s performance against defined objectives detailed within the ICO’s Employment Practices Code. The detail of this will be confirmed with HR but seeks to provide evidence that the Trust is ensuring compliance with legislative and regulatory requirements across the board.

5.10 Information Rights

The Information Governance Team has a designated Information Rights Arm that deals purely with the copious amount of Freedom of Information Act requests and Subject Access Requests (under the Data Protection Act). They respond to all requests received by

acknowledging, finding the relevant information within the Trust, co-ordinating into a suitable response, ensure that necessary exemptions are applied whilst meeting the various legislative requirements in terms of timescales etc. This team are also responsible for providing the advice and support to services in terms of disclosure decisions and where

(15)

14

necessary apply other Laws (i.e. Access to Health Records for deceased patients, Section 29(3) requests for the Police.

5.11 Information Security Management

Information Security and its management deals with all aspects of information, whether spoken, written, printed, electronic or relegated to any other medium, regardless of whether it is being created, viewed, transported, stored or destroyed. This is contrasted with IT security, which is concerned with security of information within the boundaries of the technology domain, usually in a custodial capacity.

Following good practice there are six basic outcomes of effective information security governance:

 Strategic alignment – aligning information security management to the Trusts strategy and in support of its organisational objectives.

 Risk management – executing appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptable level.

 Value delivery – optimising security investments in support of the Trusts business objects.

 Resource optimisation – using information security knowledge and infrastructure efficiently and effectively.

 Performance measurement – monitoring and reporting on information security processes to ensure that objectives are achieved.

 Integration – integrating all relevant assurance factors to ensure that processes operate as intended from end to end.

There is a designated IT security arm managed under the Head of IT who works closely with the IG department to ensure standards are met. The Security Manager feeds into the IG toolkit requirements by ensuring relevant assurance is in place.

5.12 Information Sharing Gateway

The Head of IG has been instrumental in the development of an Information Sharing Gateway via a sub group of the Lancashire and Cumbria IG leads meeting. Funding has been provided via the LPRES initiative and the North West Coast Academic Health Science Network.

The solution known as the “information sharing gateway” provides a tool for IG

professionals to work electronically with the ability to register recipient organisations and provides a level of assurance against their compliance (i.e. IG Toolkit, PSN etc). It also signs these organisations up to a common information sharing agreement framework (Tier 1). The solution then allows data mapping to take place capturing the frequency of data transfer, how its being transferred, when its being transferred, why its being transferred etc. This enables a risk assessment rating so that as Data Controller we can confirm that flows are lawfully and fairly processed.

(16)

15

(i.e. which information asset) and complements the work being done on information asset management.

5.13 Performance

We are committed to the principle that Performance Management is not solely concerned with the monitoring of key performance indicators (KPIs) but is a tool to drive improvement on performance across the organisation. It is a process which contributes to the effective management of individuals and teams in order to achieve high levels of performance. As such, it establishes shared understanding about what is to be achieved and an approach to leading and developing people which will ensure success.

The Information Governance performance model has been developed to provide a consistent approach to the way IG performance and quality is managed, monitored, reviewed and reported. This model is based on 5 key stages:

 Strategic Planning – Development of a plan/strategy with clear objectives – these have been designed to follow the “golden thread principle” that is that they should link from the highest level (CE objectives) right down to the team member objectives set at appraisal. Seven (7) Information Governance Objectives have been developed and a series of tasks identified that will ensure these objectives will be achieved. These tasks have been allocated to individuals ensuring that everyone understands what is required from them and how they contribute to the overall performance of the team, department and organisation.

 Performance measurement and monitoring – Design of key performance indicators (KPIs) and tasks to measure and monitor how well we are delivering on the strategic objectives set out in stage 1. Most important is to ensure the metrics are relevant, meaningful, and SMART (Specific, Measurable, Achievable, Realistic and Timely). A full work plan has been developed containing tasks and KPI’s each of which has been allotted milestones and or targets to ensure that progress can be measures and monitored on a monthly basis.

 Business Intelligence (BI), Analytics and Modelling - use the performance data and metrics to analyse performance. This step is all about creating a solid evidence-base to inform decision making. Performance updates will be collated on a monthly basis and tools developed with which to analyse the data.

 Reporting and reviewing Performance - Translating the insights gained from performance information into management reports and dashboards and put the review processes in place to act on the data. Once the data has been analysed the results will be presented to senior managers, and stakeholders using a suite of reports and

dashboards currently under development.

 Aligning People and culture - Ensuring the people, culture and leadership approaches are focused on performance improvement. This means closing the knowing/doing gap and acting on the insights gained and decisions made in order to generate real

(17)

16

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 Why is performance management important?

 if you don’t measure results, you can’t tell success from failure  if you can’t see success, you can’t learn from it

 if you can’t recognise failure, you can’t correct it  what gets measured gets done

5.14 Policies

Following the demise of the Policy Monitoring Group (April 2015), all information governance policies are approved by the IG Board. This mechanism is in accordance with the

Organisation’s policy and resource pack. All policies are made available to staff via the Intranet / Internet site and are communicated via the communication plan (see

Communication).

Existing policies are updated and new policies introduced in line with current information governance agenda. These policies provide the organisation’s Staff Code of Conduct and must be read in conjunction with the Organisation’s Staff Handbook and Staff employment contracts.

Policies outline scope and intent and provide staff with a robust IG framework whilst setting out their responsibilities as employees of the Trust. The Trust is committed to ensuring that all staff and those working with the Trust are familiar with the organisation’s objectives and what is expected of staff in order to achieve these objectives. Policies and procedures are one of the key means the Trusts uses to communicate these expectations to staff. 5.15 Projects

The Information Governance Team is part of the E-Health Department which holds the Programme Management Office. When projects are justified and a business case developed, the IG team receive a work package (in line with agreed template) and we complete the relevant checks from cradle to grave (i.e. pre procurement, contractor compliance checks (DPA / IG Toolkit compliant), ensuring accreditation documentation in place for services to use in terms of standard operating procedures, training etc. 5.16 Registration Authority Service

The Registration Authority Service Team currently provide the RA service within CPFT and aim to deliver a quality and efficient service to Trust employees. The Team provide RA services also to primary care and CCG.

The team are responsible for the registration process by which users of Smartcard-enabled IT applications are authenticated (proven who they say they are beyond reasonable doubt) and authorised (enabled to have particular levels of access to particular patient data). The Registration Authority is the governance framework within which the Trust can register individuals as users to access the NHS Smartcard enabled system(s) - maintaining the confidentiality and security of patient information at all times. Having a common and

rigorous approach to how users are registered and are given access to the national services, and other services, is an integral part of protecting the confidentiality and security of every

(18)

17

patient's personal and health care details. In light of the work of introducing a new EPR an access control strategy will be compiled with the identified positions for staff within the Trust detailed for Caldicott ratification.

5.17 Risk Assessment and Incident Management Process

Potential losses arising from breaches of IT and information security include physical destruction or damage to the organisation’s computer systems, loss of system availability and the theft, disclosure or modification of information due to intentional or accidental unauthorised actions. In addition, healthcare organisations process person identifiable data of particular sensitivity, which needs to be protected from loss or inappropriate disclosure. Clear guidance has been documented and issued to staff and all should be made aware of the organisation’s incident reporting and management procedures (currently via Ulysses). This process is supported by the Trust’s IG policies and procedures regarding information risk management. The process for the investigation of Serious Untoward Incidents are in line with the HSCIC Information Governance SUI Checklist published in February 2015. The Head of IG is responsible for ensuring that adequate arrangements are in place for:  Reporting IG events or incidents;

 Managing IG risks;

 Analysing, investigating and upward reporting of events/ incidents and recommendations in collaboration with STEIS and Information Commissioner’s Office reporting.

 IG work plans progress recommendations and learn the lessons (identified as a separate IG objective)

 Communicating IG developments and standards to staff

 Ensuring completion of improvement plans as a result of a SUI investigation.

In addition, when business cases are development the IG team have a checklist to follow in terms of ensuring that all privacy risks are identified at the start of the project and

considered for inclusion; effectively putting privacy by design into the system. 5.18 Training and Development

Information Governance Training and Development is essential for the development and improvement of staff knowledge and skills relating to IG not only within the IG Team but across the Trust. The development of the IG Team is listed as a specific IG objective because of its importance.

IG training must extend beyond basic confidentiality and security awareness in order to develop and follow best practice. Staff must understand the value of information and their responsibility for it, which includes data quality, information security, records management, confidentiality, legal duty, information law and rights of access, and patient’s rights in terms of a right of privacy and choice.

To ensure that different learning styles are catered for, each year a different focus in terms of delivering training is found. Previously the Trust has had a series of face to face trainings (2013 – 2014), e-learning and IG Code of Conduct Workbook (2014 – 2015), e-learning tools (with video podcasts) (2015 – 2016) with an updated IG Code of Conduct. This

(19)

18

training will be translated onto a video for use in induction sessions and to ensure that this is open to all staff this will be transferred onto a pod cast based on the Trust’s website that can be used in team meetings to cater for staff (i.e. domestics, porters etc) who don’t necessarily have open access to PCs.

Information Governance training is a mandatory requirement for all staff and is included on induction and on annual refresher. The Trust has been successful for four years running in achieving over 95% compliance with mandatory training and to support this KPI on an on-going basis, methodology has been developed to monitor this closely.

The organisation also utilises the following additional methods to ensure staff are trained in Information Governance:

 E-Learning and Video –As explained above (preferred method)

 IG Code of Conduct – This was issued to all staff in 2013 – 2014 and is being updated, with printed copies being hand delivered to all staff as part of the induction process and their recruitment into the organisation.

 Communication Plan – monthly targeted communication that is issued via the Trust’s Partnership News system and other routes (i.e. screen savers) so that assurance that provided to every member of staff.

 Policies, Procedures and Guidelines – staff have clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. IG awareness and mandatory training procedures are in place (IGTT) and all staff receive training appropriate to their role.

 Confidentiality – staff are provided with clear guidance on keeping information secure and on respecting the confidentiality of service users.

 Consent – is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services and objections to the use of such information are appropriately respected.

 Fair processing – individuals are informed about the proposed use of personal information.

 Specialist Training for senior roles (SIRO/ Caldicott Guardian) – on an individual and ad hoc basis.

(20)

19

6. Information Governance – Governance Arrangements

6.1National Requirements (i.e. Operating Framework, Monitor, HSCIC)

The NHS Operating Framework for the NHS in England sets out the key priority areas for systematically improving quality across the NHS. The IG element details the legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 1998, and the Human Rights Act 1998. The Law allows personal data to be shared between those offering care directly to patients but it protects patients’ confidentiality when data about them are used for other purposes.

These “secondary uses” of data are essential if organisations are to run a safe, efficient, and equitable health service. It also includes the requirement for all NHS organisations to achieve a minimum of level 2 performance against all key requirements in the IG Toolkit as set out by the Department of Health (DoH). The Trust is ambitious and wishing to be high performing in this regard with the ambition to get to Level 3 compliance.

6.2IG Toolkit

The annual information governance assessment is measured via a self-assessment process of compliance against the standards set out in the IG Toolkit and verified by Internal Audit Review (Audit North). The standards are ordered into the following initiatives:

 Information Governance Management  Information Security Assurance

 Confidentiality and Data Protection Assurance  Clinical Information Assurance

(21)

20

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015  Secondary Use Assurance

 Corporate Information Assurance.

NHS organisation are required to submit online IG performance reports to the Department of Health which can be tracked by monitoring bodies (i.e. CQC, Monitor). There are three submissions:

 30 July – baseline assessment for organisations;  31 October – self assessment or improvement report;  31 March – final annual self-assessment report.

The final performance assessment is submitted by 31 March each year and shared with the Care Quality Commission, and the Audit Commission. The results are reported on the DoH website and made available to the general public. The Trust also provides its own internal End of Year Report.

6.3 IG Arrangements

The ultimate responsibility for Information Governance in the organisation lies with the Trust Board. The Board discharges its function through to the Clinical Governance Group. The IG Board is a sub-committee of the Trust’s Clinical Governance Group.

The IG Board will through the development and routine reporting of agreed key

performance indicators, identify risks, measure progress, oversee any necessary remedial action is taken and effective and provide a report to the Trust’s Clinical Governance Committee on a regular basis through the Head of Information Governance who is a member of the group.

The IG Board has overall responsibility for overseeing the development and implementation of this framework, the IG policy and IG work plan / performance framework. This will be subject to periodic review and progress reports and any identified risks highlighted.

The e-health department also has a monthly heads of service meeting with the Director of Strategy and Support Services and any items affecting the e-health department only will be raised through this Forum.

Key representatives meet on an monthly basis as the IG Performance Group to act as focal point for the monitoring and performance management of business plan objectives.

(22)

21

The terms of reference and key responsibility of each Group is as detailed below: Overall responsibility – Trust Board

Functions of the Committee Clinical Governance Group

IG

Board E-Health Heads of Service meeting chaired by Michael Smillie. IG Performan ce Group

Act as a focal point for the monitoring and performance management of the improvement plan for information governance standards and to provide assurance to the IG Board / Clinical Governance Groups (as appropriate) on progress against the standards

◊ ◊ √

Approve and sign off on behalf of the Board of Directors the standards for each element of the Information Governance Toolkit prior to

submission to HSCIC

√

Ensure that there is robust evidence (assurance) in place to support compliance against information governance standards.

◊ ◊ √

Ensure that the Trust has the key evidence to demonstrate the Trust is maintaining all standards at a minimum of level 2 used to measure IG assurance with a stretched target to achieve level 3 compliance in line with agreed trajectories.

◊ ◊ √

Provide an assessment of risk against information governance standards and the action being taken to manage and mitigate against the risks to the Clinical Safety Committee every six months.

◊ √

Ensure the national policy, strategy and guidance relating to information governance is implemented and evaluated appropriately.

√ √

The IG Board will determine the level of assurance to be given to projects, processes through reviewing and signing off the Information Governance Project check lists.

√ √

Monitor and performance manage the

development and maintenance of information sharing agreements with partners and other third parties to ensure the safe and secure sharing of personal identifiable information for both primary and secondary care purposes.

√

Monitoring the development and

(23)

22

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 procedures to ensure that access to systems

through smartcards are undertaken in a way that is safe and secure.

To provide linkages to the relevant registration requirements with the Care Quality Commission and other regulatory bodies, i.e. Monitor

√ √

To assist the SIRO (Senior Information Risk Owner) in his responsibilities and develop information risk policies, advise of information risk issues as appropriate. Similarly for the Caldicott Guardian in terms of protecting personal identifiable information

√

Monitoring IG training that is available to staff and its completion in line with requirements detailed in the Informatics Planning component of the NHS operating framework

√

Review all information security and

confidentiality incidents that are reported in line with HSCIC guidance

√ To monitor compliance with the information

governance service level agreement with Cumbria Clinical Commissioning Group

√ To provide a focal point for the resolution and /

or discussion of information governance issues √

Approval of IG strategies and policies √

Ensure completion of all project areas as detailed in this framework which forms part of the Service Catalogue:

- Asset management

- Audit and spot check compliance - Communication

- Contracts

- Corporate records - Fairwarning

- Health records audit - Human resources - Information rights

- Information security management - Information sharing

- Performance - Policies - Projects

- Registration authority services - Risk management and incident

management process - Training and development

◊ √

(24)

23

IG Framework 2015 – 2017 - Version 1.0 – Final Version – August 2015 √ = key function of group

7. Training

Information Governance is a mandatory training requirement set by the Department of Health and contained within the NHS Operating Framework – Informatics Planning where it states that “all staff should receive annual basic IG training appropriate to their role.” This is delivered as indicated above. Key individuals within the IG team and wider (SIRO,

Caldicott Guardian, Information Asset Owners) need more in depth IG training dependent on their role and this forms part of a separate training needs analysis held by the Information Governance department (for IG staff) following appraisal and identification of development needs. The training for SIRO Caldicott Guardian and Information Asset Owners are in line with HSCIC IG Toolkit standards. The IG department monitor compliance in terms of ensuring that staff have attended which is via the Trust’s agreed Trust process.

8. Monitoring compliance with this policy

The audit and spot check document outlines the Trusts’ monitoring arrangements for the IG framework arrangements within the Trust. The Trust reserves the right to commission additional work or change the monitoring arrangements to meet organisational needs. In addition, the Information Governance toolkit requirements are reviewed each year by Audit North (approved Trust auditors).

The monitoring arrangements for the various areas of IG are detailed in the separate document using the ICO guide to Data Protection Audits

Aspect of compliance or effectiveness being monitored Monitoring method Individual responsible for the monitoring Frequency of the monitoring activity Group / committee which will receive the findings / monitoring report Group / committee / individual responsible for ensuring that the actions are completed Monitored via the arrangements in the document Audit and Spot Check Compliance Various (see document) Head of Information Governance Various (see separate document See governance arrangements (i.e. IG Board, Clinical Governance group etc) Director of Strategy and Support Services

(25)

24

9. References/ Bibliography

Information Commissioner (2015) ICO Guide to Data Protection Audits

HSCIC (February 2015) Information Governance Serious Untoward Incident Checklist

Data Protection Act 1998

Freedom of Information Act 2000

Human Rights Act 1998

10. Related Trust Policy/Procedures

(26)

25 Appendix A – IG Board Terms of Reference

Name of Committee IG Board

Connectivity

Reports to: Clinical Governance Group

Committees reporting to this group Lancashire and Cumbria IG Leads IG Performance Group

Corporate Records Group Design Technology Authority Minutes from ad hoc project groups Links to this group Health Records and Data Quality Group

Chair Director of Strategy and Support Services (SIRO)

Deputy Chair Medical Director (Caldicott Guardian)

Membership Director of Strategy and Support Services

Medical Director (Caldicott Guardian or deputy) Head of Information Governance

Head of Information

Head of IT / Security Manager

Rotating attendance by IG team manager /

supervisors (Registration Authority, IG Performance, Information Rights)

Designated Care Group representatives to take back relevant issues through clinical governance routes:

- Specialist Services – Clare Parker - Children Services -

- Mental Health Services – Kath Watts / Katherine McGleenan

- Community Services –Sarah Sproat

Ad hoc representation from other organisations on invitation basis by Chair

- Audit North

- Cumbria Clinical Commissioning Group In attendance

- Designated Admin support. File Reference Number Information Governance Board Functions of Committee See 6.3 of IG Framework Document

(27)

26

Outputs from the Group Formal minutes

Achievement of Service Catalogue (see areas covered above)

Achievement of 7 IG objectives:

a) Completion of annual IG assessment and sign off within a set timescale with aspiration to be a level 3 compliance Trust

b) Providing innovative solutions to IG with a view to streamlining business processes c) Promote the IG agenda ensuring that it is

embedded throughout the Trust to care stream level

d) Develop an effective team dedicated to the promotion and implementation of IG agenda e) Build a positive reputation with internal

clients by providing sound advice and an efficient and reliable service regarding all IG matters

f) Build a positive reputation with external clients by providing sound advice and efficient reliable services regarding all IG matters g) Evidencing lessons learned through internal,

external sources and new initiatives by proactively ensuring policies and procedures reflect the latest requirements and by directing Trust wide cultural change

Quorum One third of membership

Review date May 2017

Information Governance Strategic Management Framework